AI benefits/risks

AI regulations are here – and most organizations aren’t ready  

(Adobe Stock)

COMMENTARY: For years, AI regulation was something enterprise leaders could discuss in the abstract: a future concern, a moving target, something to monitor. But today, with AI and AI regulation spreading rapidly, that time has ended. 

Across the globe, the regulatory framework for AI has become active and enforceable, with more laws and regulations rapidly coming into effect.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

The EU AI Act has already partially taken effect, with new enforcement deadlines fast approaching. And, Network and Information Systems 2 (NIS2) has expanded cybersecurity obligations that can apply to systems using AI. Similar governance regimes have taken shape across Asia-Pacific, while sector-specific requirements and local regulations are emerging in the United States.  

Boards, CISOs, privacy leaders, and technology executives need to understand that AI regulatory compliance represents an urgent, present-day concern. They also must understand that reaching compliance will present many challenges, because too many organizations lack the operational visibility and control needed to meet these regulatory requirements.  

Intent doesn’t equal compliance 

Organizations are increasingly using AI across regions and sectors, though research shows that security breaches are startlingly pervasive. Even though 9 in 10 organizations use AI or agentic AI on a daily or weekly basis, 88% of organizations experienced at least one agent-related security breach in the past year, according to recent research.  

Notably, this problem becomes more pronounced when confidence in AI security remains high. In that same study, more than 4 in 5 organizations said that they were confident in their ability to prevent unauthorized AI-related data access, yet up to 72% of confident organizations still experienced an unauthorized access incident in the past 12 months. 

This points to a fundamental disconnect that ties back to compliance. IT and security leaders believe that their systems are secure, but research shows that those beliefs are often inaccurate and not grounded in real visibility or true operational control. We might feel like we’re safe, but the data tells another story. 
 
So how do we comply with regulations that are dynamic and evolving? The same way we always have: with a standards-based and best practices approach. To reach compliance with AI regulations—which affect organizations regardless of whether or not they use AI—leaders can’t rely on good intentions and unsubstantiated confidence. They need to build systems and AI governance frameworks that can build real trust, prevent breaches, ensure compliance, and establish control over their data environments. 

Organizations lack visibility and control 

We can’t control what we can’t see. That’s why visibility remains the first and most essential condition of security and compliance.  

And yet, many organizations don’t know how many AI agents they have, or what those agents are doing. They also lack visibility into the AI tools that their employees use every day. According to our study, more than 1 in 5 organizations do not know whether unsanctioned tools are being used to create AI agents in their environment. Other studies show that there's a massive number of ungoverned agents deployed around the world: Gravitee estimates that there are 1.5 million ungoverned agents in the U.S. and UK alone. 

If we lack visibility, we lack control, and we won’t achieve compliance with increasingly complex regulations. Although many organizations have AI governance policies and frameworks, those efforts have not translated to real visibility. The data has made that clear. 

Compliance requires strong governance 

The EU AI Act, ISO 42001, NIST AI Risk Management Framework, and emerging sector-specific guidance all require organizations to understand what data AI systems use, how decisions are made, and where potential risks exist. Teams will need strong AI governance and data governance strategies—frameworks that ensure AI gets deployed responsibly, in an auditable fashion, and in alignment with both regulatory obligations and business objectives. 

Begin with discovery: inventory sanctioned and unsanctioned AI tools, map the data they can access, and assign clear business owners. Then enforce policy at the point of use by tying approvals, access controls, classification, retention, and audit trails to the sensitivity of the data AI can consume, create, or act on.

Operational AI governance also requires lifecycle control, data discovery, information management, and recovery planning so organizations can reduce overexposure, eliminate ROT data, and protect critical information before AI amplifies existing risk. 

That’s how we can operationalize AI safely: by implementing a trust layer that connects visibility, data protection, governance, identity, security, compliance, and recovery.

With those in place, organizations can prove controls are working, correct issues quickly, and recover to a "known-good" state. Without it, compliance stays reactive, and risk enters the environment faster than teams can contain it. 

The time clock keeps moving forward. Organizations that invest now in governance, security, and resilience infrastructure will avoid compliance issues later on. They’ll also scale AI knowing they can see it, govern it, audit it, and recover from data loss events and breaches. Those that wait may find that regulation doesn’t wait for them.

AI compliance has become an operational issue we all have to solve today, not something we can put off into the future.  

Dana Simberkoff, chief risk, privacy, and information security officer, AvePoint 

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds